In Release 7 of the UMTS cellular wireless communication system, the standardization setting body 3rd Generation Partnership Project (3GPP) has drafted technical specification TS 33.220-780 to strengthen the existing authentication and key agreement (AKA) process. The newer AKA process described in the TS 33.220 specifies a process involving the wireless transmit/receive unit (WTRU) that incorporates a UMTS Integrated Circuit Card (UICC) and the Home Location Register/Home Subscriber System (HLR/HSS).
FIG. 1 shows the network elements and their respective interfaces envisioned for the AKA process. A bootstrapping server function (BSF) is part of the network element which is under the control of a mobile network operator (MNO) and participates in the generic bootstrapping architecture (GBA) with UICC-based enhancements (GBA_U) along with the WTRU and the HSS to establish a shared secret between the network and the WTRU. A network application function (NAF) is hosted as part of the network element and uses a GBA established shared secret for deriving keys for securing the communication path between the WTRU and a NAF. A subscriber location function (SLF) is used by the bootstrapping server function (BSF) to acquire the details of the Home Subscriber System (HSS), which contains the required subscriber specific data when the BSF is not configured or managed by a pre-defined HSS. The HSS stores all the user security settings (USS), the subscriber has either a multiple IP multimedia services identity module (ISIM) or user services identity module (USIM) applications on the UICC. The HSS may contain one or more GBA user security settings (GUSS) which can be mapped to one or more private identities. Ub refers to the reference point between the WTRU and the BSF. The mutual authentication procedure between the WTRU and the BSF takes place on this reference point and session keys are bootstrapped based on 3GPP AKA infrastructure. Ua is the reference point between the WTRU and the NAF that carries the application protocol and is secured by deriving keys based on the key material agreed between the WTRU and the BSF as a result of HTTP Digest AKA over the Ub reference point. Zn is the reference point between the NAF and the BSF and is used by the NAF to acquire the key material (agreed during previous HTTP Digest AKA protocol over Ub) and the application specific USS from the BSF. Zh is the reference point between the BSF and the HSS and is used by the BSF to retrieve the authentication information and GUSS from the HSS. Dz is the reference point between the BSF and the SLF and is used by the BSF to retrieve the name of the HSS which contains the subscriber specific information.
Two procedures are discussed in TS 33.220. The first is the GBA enhanced by the UICC (GBA_U) process, and the second is the Security Association (SA) process.
In the GBA_U process, the UICC and the BSF mutually authenticate each other and establish key Ks called the GBA_U key by deriving it from a subscriber authentication key K that is shared between the UICC and the HLR/HSS.
Referring to FIG. 2, steps for the GBA_U process are as shown and are further described as follows. An ME, at step S1, sends an HTTP request to the BSF for the initiation of a GBA_U process. The ME inserts a user identity (temporary IP multimedia private identity (TMPI) or IP Multimedia Private Identity (IMPI)) in the username parameter field of the HTTP request. The BSF, at S2, fetches the Authentication Vector (AV=RAND∥AUTN∥XRES∥CK∥IK) and the GBA user security settings (GUSS) from HLR/HSS (over the Zh reference point), where AUTN=SQNMS⊕[AK]∥AMF∥MAC. The BSF then computes MAC* (=MAC⊕Trunc(SHA-1(IK))). The MAC is used to protect the integrity of the RAND and the AUTN. The BSF, at S3, forwards the RAND and AUTN* (=SQN xor AK∥AMF∥MAC*) to the ME and stores XRES, CK and IK, in an HTTP 401 Unauthorized WWW—Authenticate: Digest message. The ME, at S4, forwards the received RAND and AUTN* to the UICC, in a HTTP 401 Unauthorized WWW—Authenticate: Digest message. The UICC, at S5, runs the AKA algorithm, i.e., computes IK and XMAC and then the UICC checks AUTN (i.e. SQN⊕AK∥AMF∥MAC) to verify that the challenge is from an authorized network; the UICC also calculates CK and RES. This will result in the creation of the session keys CK and IK, where Ks=CK∥IK, in both the BSF and UICC. The UICC, at S6, forwards RES to ME. The ME, at S7, sends another HTTP request to the BSF, which contains the Digest AKA response, calculated using RES. The BSF, at S8, verifies the authenticity of the UE, by comparing the received RES with XRES and at S9, creates Ks=CK∥IK and a Bootstrapping Transaction Identifier (B-TID). The BSF, at S10, sends back a 200 OK message including the B-TID and the Key Lifetime to indicate the success of the authentication. The ME, at S11, sends the B-TID and Key Lifetime to the UICC. The UICC, at S12, stores Ks=CK∥IK, B-TID, and the Key Lifetime.
At the end of the GBA_U process, depicted in FIG. 2, both the UICC and the BSF are in state where they can, if needed in a later stage such as the Security Association stage, respectively use the Ks they both have to derive Network Access Function (NAF)-specific keys Ks_ext_NAF and Ks_int_NAF. These derived keys Ks_ext_NAF and Ks_int_NAF are later used to secure the Ua reference point. Ks_ext_NAF is computed in the UICC as Ks_ext_NAF=KDF(Ks, “gba-me”, RAND, IMPI, NAF_Id); Ks_int_NAF is computed in the UICC as Ks_int_NAF=KDF(Ks, “gba-u, RAND, IMPI, NAF_Id); NAF_Id=FQDN of the NAF∥Ua security protocol identifier. KDF is the key derivation function as specified in TS 33.220-780 Annex B.
After the Ks is established in the GBA_U process, the Security Association process takes place between the NAF and the WTRU. The purpose of this process is for the WTRU and the NAF to decide whether to use the GBA keys (Ks_int_NAF and/or Ks_ext_NAF). By default Ks_ext_NAF is used to later derive the key stream to be used to encrypt the packets between the WTRU and the NAF. However, if Ks_int_NAF or both Ks int_NAF AND Ks_ext_NAF are to be used, then this must be agreed upon in the security association process. Note that such an agreement will overrule the default selection. Also, the key selection indication may be specified in the application specific USS.
Referring to FIG. 3, which depicts the security association steps, the WTRU (ME), before starting communication, checks that Ks (created by GBA_U) is present and is current, and if not, then GBA_U is initiated to create Ks. If Ks is valid and current, ME, at S1, retrieves the B-TID from the UICC and the UICC derives Ks_int/ext_NAF keys. The ME, at S2, sends the B-TID to the NAF as a part of an application request. The NAF, at S3, sends an Authentication Request (incl. B-TID and NAF-ID) to the BSF to send keys corresponding to the B-TID over the Zn reference point. The BSF, at S4, derives Ks_int_NAF and Ks_ext_NAF. If the NAF is GBA_U aware, at S4, it delivers both keys, otherwise it only supplies Ks_ext_NAF along with some other information such as bootstrapping time, lifetime of keys, etc. The NAF will then look into the USS if it is returned from the BSF, to check if the key selection indication is present in which case key(s) indicated in the USS will be used and will then store these key(s). The NAF, at S7, sends the WTRU an Application Answer, indicating that the NAF now has the keys Ks_ext/int_NAF.
Recently, 3GPP TS 33.110-700 proposed the establishment of platform and application specific key Ks_local between the UICC and the Terminal. This key is intended to be used by the UICC and the terminal to secure the channel between them.
The architecture of the reference points in the case where the Terminal is a part of the UICC holding device is shown in FIG. 4. The network elements of FIG. 4 are the same as shown in FIG. 1 with the exception of providing the UICC hosting device. The protocol flow establishing Ks_local between the UICC and the Terminal is shown in FIG. 5. The Terminal, at S1, checks whether a valid Ks key exists in the UICC, by fetching the B-TID and corresponding lifetime from the UICC. If no valid key ks is available in the UICC, the Terminal will request the GBA bootstrapping procedure to establish the Ks key between BSF and UICC. The Terminal then checks whether a valid Ks_int_NAF exists, and if so, it requests the UICC to retrieve B-TID value for the NAF_ID corresponding to the NAF Key Center. If the Terminal does not have the NAF_ID, it requests the UICC to retrieve the value at S2. The UICC, at S3, returns the NAF_ID and B-TID corresponding to the NAF Key Center. The Terminal and NAF Key Center establish the HTTPS type tunnel at S4, with certificate based mutual authentication between the Terminal and the NAF Key Center. The Terminal, at S5, sends a “service request” message over the tunnel, whose payload contains B-TID, the Terminal identifier (Terminal_ID), the smart card identifier (ICCID), the application identifier of UICC application (UICC_appli_ID) and the application identifier of the terminal application (Terminal_appli_ID) requiring the establishment of key Ks_local, and a variable value RANDx. When a platform-specific key, rather than an application-specific key, is desired, the parameters UICC_appli_ID and Terminal_appli_ID will equal the static ASCII-encoded string “platform”. The NAF key center, at S6, determines if the Terminal ID/ICCID is not blacklisted or if the key establishment procedure is allowed for the targeted applications. If these conditions are not met, the NAF key center responds with an appropriate error code and terminates the TLS connection with the Terminal. The NAF key center, at S6, then contacts the BSF and sends B-TID and its own NAF_ID in a credential request (the purpose of this request is to ask the BSF to return related keys Ks_int_NAF and Ks_ext_NAF. Note that Ks_local will be generated only from Ks_int_NAF). The BSF derives Ks_int_NAF and Ks_ext_NAF, and at S7, returns these keys and related information such as bootstrapping time, key lifetime, etc, to the NAF Key Center. The NAF key center, at S8, then generates a suitable 16 octet counter limit for use in the UICC and associates a key lifetime to the derived key Ks_local for use in the terminal. It then derives Ks_local from Ks_int_NAF, using the key derivation function (KDF) as follows:Ks_local=KDF(Ks_int_NAF,B-TID,Terminal_ID,ICCID,Terminal_appli_ID,UICC_appli_ID,RANDx,counter limit)
The NAF key center, at S9, then delivers Ks_local, along with the B-TID, key lifetime and the counter limit, to the Terminal, over the HTTPS tunnel established in step S4. At S10, the Terminal stores in its own storage Ks_local and the associated parameters such as the key lifetime, ICCID, Terminal_appli_ID, and UICC_appli_ID. At S11, the Terminal requests the UICC to generate Ks_local and sends it the key material (NAF_ID, Terminal ID, Terminal_appli_ID, UICC_appli_ID, RANDx and counter limit value), along with MAC (=HMAC-SHA-256[Ks_local, NAF_ID∥Terminal_ID∥ICCID∥Term_appli_ID∥UICC_appli_ID∥RANDX∥Counter Limit]) which in turn is truncated to 16 octets=128 bits. The UICC, at S12, retrieves the Ks_int_NAF and B-TID and generates Ks_local=KDF (Ks_int_NAF, B-TID, Terminal_ID, ICCID, Terminal_appli_ID, UICC_appli_ID, RANDx, Counter Limit). The UICC computes MAC′=(HMAC-SHA-256[Ks_local, NAF_ID∥Terminal_ID∥ICCID∥Terminal_appli_ID∥UICC_appli_ID∥RANDX∥Counter Limit]) which in turn is truncated to 16 octets=128 bits. The computed MAC′ is compared with the received MAC. If MAC′ and MAC don't match, a failure message is sent back to the Terminal, at S13. If there is a match between MAC and MAC′, Ks_local and associated parameters such as Terminal_ID, Terminal_appli_ID, UICC_appli_ID and the counter limit are stored in the UICC. At S13, the UICC returns a “verification successful message”, created using Ks_local and the MAC algorithm HMAC-SHA-256 truncated to 16 octets, to the Terminal.
FIG. 5 depicts the establishment of a key between a UICC and a Terminal. The local key establishment process from TS33.110 v7.2.0 relies on the establishment of an HTTPS tunnel (see step S4 in FIG. 5). In TS33.110 v7.2.0, it is specified that the HTTPS tunnel be established using subscriber certificates that certify a public key be used in setting up the tunnel later. The recent 3GPP specification TS33.221 v7.0.0 specifies the steps where such a subscriber certificate is to be established using the steps depicted in FIG. 6.
The sequence diagram in FIG. 6 describes the certificate request when using Public Key Cryptography Standard (PKCS) #10 with HTTP Digest authentication. At S1, the WTRU sends an empty HTTP request to the Public Key Infrastructure (PKI) portal. The PKI portal, at S2, sends an authentication challenge response using HTTP response code 401 “Unauthorized” which contains a WWW-Authenticate header. The header instructs the WTRU to use HTTP Digest authentication. The WTRU generates the HTTP request by calculating the Authorization header values using the bootstrapping transaction identifier (B-TID) it received from the BSF as username and the NAF specific session key Ks_NAF. If the certificate request needs extra assurance by a wireless identity module (WIM) application for key proof-of-origin, the WTRU generates a WIM challenge request containing parameters needed for key proof-of-origin generation. The WTRU, at S4, sends an HTTP request to the PKI portal and includes the WIM challenge request in this request. At S5, the PKI portal, acting as an NAF, receives the request, verifies the authorization header, by fetching the NAF specific session key Ks_NAF from the BSF using the B-TID, calculating the corresponding digest values using Ks_NAF, and comparing the calculated values with the received values in the authorization header. If the verification is successful and extra assurance for the WIM application is needed, the PKI portal may use the PKI portal specific user security setting to compute the WIM challenge response. The PKI portal, at S6, sends back a WIM challenge response containing additional parameters needed for the subsequent PKCS#10 request generation. The PKI portal may use session key Ks_NAF to integrity protect and authenticate this response. The WTRU, at S7, generates the PKCS#10 request and at S8, sends it to the PKI portal using an HTTP Digest request. In the case where the private key is stored in a WIM application, the ME requests the AssuranceInfo from the WIM application and include it in the PKCS#10 request, if provided. The enrollment request will follow the PKCS#10 certificate enrollment format. Adding AssuranceInfo in this request is defined in the OMA ECMA Script specification. The AssuranceInfo provides a proof of origin for the key processing. (E.g. identifies the WIM application and provides proof that the key is stored in it). The WTRU may indicate the desired format of the certification response: a certificate, a pointer to the certificate (e.g., URL), or a full certificate chain (i.e., from the issued certificate to the corresponding root certificate). The WTRU sends an HTTP request for certificate enrollment to the PKI Portal. The enrollment request shall be as follows:
POST <base URL>?response=<indication>[other URL parameters]HTTP/1.1Content-Type: application/x-pkcs10<base64 encoded PKCS#10 blob>                where: <base URL> identifies a server/program. The label <indication> is used to indicate to the PKI portal the desired response type for the WTRU. The possible values are: “single” for subscriber certificate only, “pointer” for pointer to the subscriber certificate, or “chain” for full certificate chain. Further, other URL parameters are additional, optional, URL parameters.The PKCS#10 request is processed by the PKI portal, at S9. If the PKI portal is a Certification Authority (CA), then the certificate is generated at the PKI portal. If the PKI portal is only a registration authority (RA) but not a CA, the PKCS#10 request is forwarded to the CA using any protocol available such as the CMC as specified in IETF RFC 2797 or CMP as specified in IETF RFC 2510 and IETF RFC 2511. In this case, after the PKCS#10 request has been processed and a certificate has been created, the new certificate is returned to the PKI portal. In either case, the PKI portal, at S10, generates an HTTP response containing the certificate, or the pointer to the certificate as defined in clause 7.4 of OMA Wireless PKI spec (WPKI), or a full certificate chain from the issued certificate to the root certificate. If the HTTP response contains the subscriber certificate itself, it shall be base64 encoded, and it may be demarcated as follows:        
HTTP/1.1 200 OKContent-Type: application/x-x509-user-cert-----BEGIN CERTIFICATE-----<base64encodedX.509certificateblob>-----END CERTIFICATE-----If the HTTP response contains the pointer to the certificate, the CertResponse structure defined in subclause 7.3.5 of the OMA WPKI shall be used, and it may be demarcated as follows:
HTTP/1.1 200 OKContent-Type: application/vnd.wap.cert-response-----BEGIN CERTIFICATE RESPONSE-----<base64 encoded CertResponse structure blob>-----END CERTIFICATE RESPONSE-----If the HTTP response contains a full certificate chain in PkiPath structure as defined in and it shall be base64 encoded:
HTTP/1.1 200 OKContent-Type: application/pkix-pkipath<base64 encoded PkiPath blob>The content-type header value for the certificate chain is “application/pkix-pkipath”. The PKI portal may use session key Ks_NAF to integrity protect and authenticate the response, if a certificate or a pointer to the certificate is sent to the WTRU. The PKI portal shall use integrity protection and authenticate the response if full certificate chain is sent to the WTRU. When the WTRU receives the subscriber certificate or the URL to subscriber certificate, it is stored to local certificate management system, at S11.